Sudheer H R <sudheer.hr@tekenlight.com> writes:
> While trying to sanitise the code for heap buffer overflows I compiled and linked the executable with clang
-fsanitize=“address”option. The connection library indicates a buffer over flow in an internal source code of the
module.
Hm, interesting. Our code is expecting that gss_display_status() returns
a null-terminated string, but this trace suggests that the string is
not necessarily null-terminated. The documentation I found on the net
is unclear on the point, and the code I could find is split as to how
the string is treated. If it's not supposed to be null-terminated,
we're hardly the only ones making that mistake.
In any case, you wouldn't get here unless we'd run into some kind of
problem trying to make a GSS connection. Could you maybe explain the
conditions you're running this under, and/or print out the failure message
it constructs?
regards, tom lane